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implementation of this process 



(57) The communication network comprises a de- 
vice of a first type (1 ) furnished with a source of data to 
be broadcast over the network and at least one device 
of a second type (2) intended to receive the said data. 
The symmetric key management process comprises the 
following steps: 

the source device (1 ) determines a first symmetric 
key (Kc) and transmits it securely (E1{PUB2}(Kc)) 
to at least one receiver device (2); 
a receiver device (2) receives the first symmetric 
key (Kc), encrypts it (E2) with the aid of a second 
symmetric key (Kn), known to the receiver devices 
(2) of the network and transmits it to the source de- 
vice; 



the source device (1) recovers the encryption (E2 
{Kn}(Kc)) of the first symmetric key (Kc) and stores 
it. 

Before transmitting the data (CW) to at least one 
reception device (2), the source device (1 ) encrypts (E3) 
these data with the aid of the first symmetric key (Kc), 
then it transmits these encrypted data (E3{Kc}(CW)), 
accompanied by the first encrypted symmetric key (E2 
{Kn}(Kc)), to at least one receiver device (2). 

The receiver device (2) decrypts the first symmetric 
key (Kc) with the aid of the second key (Kn) which it pos- 
sesses, then it decrypts the encrypted data with the aid 
of the first symmetric key thus recovered. 

The invention also pertains to devices for imple- 
menting the process. 
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Description 

Field of the invention 

[0001] The present invention relates in a general s 
manner to the field of local digital networks and more 
particularly to the field of digital home networks. 

Background art 

[0002] Such a network consists of a collection of de- 
vices linked together by a digital bus, for example a bus 
according to the IEEE 1394 standard. It comprises in 
particular two types of device: 

Source devices capable of transmitting data over 
the network: these devices can recover the data 
through a "channel" external to the network. 
Receiver devices, suitable for receiving the data 
flowing over the network, so as to process them or 
present them to the user. 

[0003] Thus, taking the example of a digital home net- 
work intended for conveying audio and/or video data in- 
to various rooms of a house, the source devices are, for 
example, digital decoders receiving video programmes 
from outside the network, via a satellite antenna or via 
a cable connection, or else optical disc readers broad- 
casting over the network, in digital form, data (audio and/ 
or video) read from a disc (in this case the disc contains 
data originating from outside the network). The receiver 
devices are, for example, television receivers making it 
possible to view video programmes received from the 
network or, more generally, any type of appliance having 
the capacity to decrypt encrypted data. 
[0004] From the standpoint of content providers who 
provide the data originating from outside the local net- 
work, in particular service providers broadcasting pay- 
per-view televised programmes or else optical disc pub- 
lishers for example, it is necessary to prevent these 
transmitted data from being copied and from flowing 
easily (for example by being copied onto an optical disc 
or any other recording medium) from one local network 
to another. 

[0005] To do this, it is known practice to transmit the 
data in secret form by encrypting them with the aid of 
cryptography algorithms using keys which are known 
beforehand to the appliances authorized to receive 
these data or else which are exchanged according to 
particular secure protocols between the content provid- 
er and these appliances. 

[0006] PCT patent application WO 00/62505 in the 
name of THOMSON Multimedia, filed on 31 March 2000 
and claiming the priority of a French patent application 
in the name of the same applicant, filed on 1 3 April 1 999 
and published under the reference FR 2792482, relates 
to a domestic network in which a public key specific to 
the network is used to encrypt the data flowing between 



appliances of the network, typically from the previously 
mentioned source devices to receiver devices. Only the 
appliances of this network possess the private key cor- 
responding to the public key. The (public key, private 
key) pair being specific to the network, data encrypted 
within the framework of this network cannot be decrypt- 
ed by appliances of another network. 
[0007] The use of a pair of asymmetric keys has cer- 
tain advantages, but also some drawbacks. One of the 
main advantages is that no secret is stored in the source 
appliances: these appliances are aware of the public 
key, but not the private key. However, the implementa- 
tion of asymmetric keys is relatively slow, as compared 
with that of symmetric keys. Moreover, the lifetime of 
asymmetric keys is short, requiring periodic revocation 
and the creation of new keys. In this case, data encrypt- 
ed with a key and then recorded might suddenly no long- 
er be decryptable on the network. Moreover, a sizeable 
number of pairs of asymmetric keys is necessary. 
[0008] One would then be tempted to implement a 
symmetric key to encrypt the data. However, this would 
require the source devices to be aware of this key, and 
this would impose increased security constraints on 
them and consequently render them more expensive. 

Summary of the invention 

[0009] The subject of the invention is a process of 
symmetric key management in a communication net- 
work comprising a device of a first type furnished with a 
source of data to be broadcast over the network and at 
least one device of a second type intended to receive 
said data. The process comprises the steps of: 

(a) by the device of the first type, determination of 
a first symmetric key and transmission of the first 
key in a secure manner to at least one device of the 
second type; 

(b) by at least one device of the second type, recep- 
tion of the first symmetric key, encryption of the first 
symmetric key with the aid of a second symmetric 
key, known to the devices of the second type of the 
network and transmission of the result of this en- 
cryption to the device of the first type; 

(c) by the device of the first type, recovery and stor- 
age of the encryption of the first symmetric key. 

When the device of the first type has to transmit 
data to at least one device of the second type, the 
process continues via the steps of: 

(d) by the device of the first type, encryption, with 
the aid of the first symmetric key, of data to be trans- 
mitted to at least one device of the second type; 

(e) by the device of the first type, transmission of 
the encrypted data and of the first encrypted sym- 
metric key to at least one device of the second type; 
and 

(f) by at least one device of the second type, de- 
cryption of the first symmetric key encrypted by at 
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least one device of the second type with the aid of 
the second symmetric key and decryption of the en- 
crypted data with the aid of the first symmetric key 
thus recovered. 

[0010] Thus, the encryption of the data to be transmit- 
ted from the appliance of the first type, typically an ac- 
cessway to the network such as a satellite receiver/de- 
coder, to an appliance of a second type, typically a dis- 
play device, is achieved with the aid of a symmetric key 
(the first key mentioned above). 

[001 1 ] The transmission of this first key is carried out 
in an encrypted manner with the aid of a second key, 
which, according to the preferred embodiment, is also 
symmetric. 

[0012] Symmetric keys being shorter than asymmet- 
ric keys, memory space is saved. Moreover, symmetric 
algorithms are faster than asymmetric algorithms: less 
computational power is necessary. Nevertheless, no 
long-term secret (typically the second key) is stored in 
the device of the first type. This device possesses only 
the first key, which it is easy to change frequently, as a 
function of the applications envisaged, in real time and 
in a manner which is transparent as regards the user. 
[001 3] Moreover, the first and second keys, insofar as 
they are symmetric, can be chosen randomly, and do 
not require certification by a third-party authority, there- 
by reducing the costs. 

[0014] The encrypted recorded data (the scrambler 
control words according to the non-limiting exemplary 
embodiment) are so with the aid of a symmetric key, 
which does not possess any preprogrammed expiry 
date. There is therefore no danger of the first encryption 
key no longer being available during playback: the latter 
can be stored, itself encrypted with the aid of the second 
key, together with the data concerned. 
[0015] According to a particular embodiment, the de- 
vice of the first type stores in parallel a plurality of first 
non-encrypted symmetric keys and of first encrypted 
symmetric keys corresponding to the non-encrypted 
keys. Specifically this allows the device of the first type 
to predict the moments at which one or more devices of 
the second type are off or otherwise unavailable and 
during which a new first symmetric key cannot be gen- 
erated. The device of the first type thus has available a 
plurality of first keys, created in advance, which it can 
use one after another, even in the event of the unavail- 
ability of appliances of the second type on the network. 
Specifically, the encrypted data may very well be intend- 
ed for an appliance of a third type (for example a record- 
ing device). 

[001 6] According to a particular embodiment, the first 
symmetric key is renewed at least during the transmis- 
sion of a new series of data, or several times during the 
transmission of a series of data. Depending on the se- 
curity required, that is to say depending on the applica- 
tion envisaged, the first symmetric key is renewed more 
or less frequently. 



[0017] According to a particular embodiment, the in- 
ventive process furthermore comprises a phase of in- 
stallation of a new device of the second type in the net- 
work, the phase of installation comprising the step of 

5 verification of the presence of a device of the second 
type pre-existing in the network, possessing the second 
symmetric key and having the capacity to transmit it se- 
curely and, in the affirmative, the step of transmission 
of the second symmetric key to the new device of the 

io second type, and, in the negative, the step of generation 
of the second symmetric key by the new device of the 
second type. 

[0018] The installation phase is aimed at communi- 
cating the second symmetric key, also called the net- 
15 work key, to all the receivers of the network. 

[0019] The subject of the invention is also a commu- 
nication device suitable for being connected to a com- 
munication network, the device comprising: 

20 - means of encryption of data which deploy an en- 
cryption algorithm implementing a first symmetric 
key; 

a memory comprising the first symmetric key en- 
crypted with the aid of a second key known to at 
25 least one receiver device linked to the network; and 
means of transmission over the network of the data 
encrypted with the aid of the encryption means. 

[0020] Preferably the second key is also a symmetric 
30 key. 

[0021] According to a particular embodiment, the data 
to be encrypted by the communication device above are 
initially unencrypted. 

[0022] According to a particular embodiment, the data 
35 to be encrypted by the communication device are initial- 
ly encrypted, but decrypted by the device so as to be 
encrypted again in the manner indicated. For this pur- 
pose, the device has available means of decryption of 
data originating from a source of encrypted data. This 
40 source may be, by way of example, a satellite, terrestrial 
or cable television network, in which the data flow in an 
encrypted manner. 

[0023] According to another particular embodiment, 
the data to be encrypted by the communication device 
45 are initially encrypted, then encrypted once more in the 
manner indicated. 

[0024] The preferred embodiment is, however, that 
where the data are decrypted before being again en- 
crypted before they are fed into the network. 
so [0025] According to another particular embodiment, 
the means of encryption are provided so as to renew the 
first symmetric key frequently. 

[0026] The subject of the invention is also a device for 
processing data in a communication network, which 
55 comprises: 

means of decryption of a first symmetric key re- 
ceived in an encrypted manner from an appliance 
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of the network, the encryption of the first symmetric 
key having been carried out with the aid of a second 
symmetric key; 

a memory for containing the second symmetric key 
common to all the appliances of a given type of the 
network; and 

means of decryption of encrypted data received 
from the network with the aid of the first symmetric 
key. 

[0027] According to the exemplary embodiment, the 
said device comprises means for descrambling data re- 
ceived from the network, the descrambling means using 
the result of the data decryption carried out with the aid 
of the first symmetric key. 

[0028] According to a particular embodiment, the 
memory containing the second symmetric key further- 
more comprises a pair of asymmetric keys used for the 
secure transmission, to the said processing device, of 
the first symmetric key. The processing device further- 
more comprises means of encryption of the first sym- 
metric key with the aid of the second symmetric key for 
return to the appliance of the network having transmitted 
the first symmetric key. 

Brief description of the drawings 

[0029] Other characteristics and advantages of the in- 
vention will become apparent through the description of 
a particular non-limiting exemplary embodiment made 
explicit with the aid of the attached Figures, among 
which: 

Figure 1 is a block diagram of a communication net- 
work linking several appliances implementing the 
process of the invention according to the exemplary 
embodiment; 

Figure 2 is a flowchart of the process of installation 
of a new receiver device in a communication net- 
work; 

Figure 3 is a time chart illustrating the exchange of 
a symmetric network key between a device pos- 
sessing this key ("Progenitor") and a receiver de- 
vice undergoing installation into the network; 
Figure 4 is a time chart illustrating the communica- 
tions between a source device sending encrypted 
data and a receiver device receiving the said data, 
the communication implementing the symmetric 
keys according to the present exemplary embodi- 
ment. 

Detailed description of an embodiment of the invention 

[0030] An exemplary communication network will 
firstly be described in order to illustrate the way in which 
data and various keys are exchanged. Subsequently, 
the creation and the transmission of each type of key, 
be it within the framework of the installation of a receiver 



device into the network or of a <iata transmission be- 
tween a source device and a receiver device, will be de- 
scribed in greater detail. 

5 I] Description of the network 

[0031] Represented in Figure 1 is a digital home net- 
work comprising a source device 1 , two receiver devices 
2 and 3 and a digital video recorder 4, commonly re- 
10 ferred to as a DVCR (DVCR standing for "Digital Video 
Cassette Recorder"). The collection of devices 1,2,3 
and 4 is plugged into a domestic digital bus B which is, 
for example, a bus accordingto the IEEE 1394 standard. 
[0032] The source device 1 comprises a digital decod- 
es er 1 0 fitted with a chip card reader furnished with a chip 
card 11 . This digital decoder 10 is, in particular, plugged 
into a satellite antenna or into a cable network for re- 
ceiving video programmes distributed by a service pro- 
vider. These programmes are received in a data stream 
20 f, for example in the MPEG-2 format. In a manner 
known per se, they are transmitted in a form scrambled 
by control words CW, these control words being them- 
selves transmitted, in the data stream F, in a form en- 
crypted with the aid of a key K according to a given en- 
25 cryption algorithm so as to remain secret during trans- 
mission. 

[0033] Thus, only users authorized by the service pro- 
vider are permitted to descramble the transmitted data 
(against payment of a subscription, for example). To do 

30 this, the provider supplies the authorized users with the 
key K serving to decrypt the control words CW. Often, 
the authorization to receive the programmes is only tem- 
porary, while the user pays his subscription. The key K 
is therefore regularly modified by the service provider. 

35 [0034] By virtue of the invention, and as will be seen 
hereinbelow, the user will nevertheless be able to record 
programmes transmitted while he is a subscriber and to 
play them back as many times as he wishes onto his 
own network, even when the key K has been changed. 

40 On the other hand, since thedata are recorded in scram- 
bled form as described, it will be possible to play them 
back only on the network of the user who has recorded 
them. 

[0035] In Figure 1 , the network is represented in the 
45 state in which it is when all the appliances have been 
plugged in according to the processes which will be de- 
scribed subsequently. Figure 1 illustrates in particular, 
for the source device 1 and the receiver device 2, all the 
keys contained in each device. The keys represented 
so are not necessarily present at every moment in the de- 
vices. Typically, the device 1 does not store the public 
key PUB2 of the device 2 beyond the exchange of sym- 
metric key Kc as described later, while the device 2 does 
not store the symmetric key Kc beyond the same ex- 
55 change. 

[0036] In particular, each receiver device comprises 
a symmetric network key Kn in a memory. This key is 
distributed to a receiver appliance newly connected to 
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the network by one of the so-called "progenitor" receiver 
appliances. 

[0037] Moreover, each receiver device possesses a 
pair of asymmetric keys (PRI Vx, PUBx), the first key be- 
ing private and the second public. These keys will be 
used within the framework of the authentication of the 
appliances of the network, and for exchanging the sym- 
metric keys. 

[0038] We shall now describe how the data which are 
transmitted in the stream F received by the decoder 10 
are processed. As is known to the person skilled in the 
art, in the case of data transmitted according to the 
MPEG-2 format, the data stream F comprises a succes- 
sion of video data packets, audio data packets and man- 
agement data packets. The management data packets 
comprise in particular control messages denoted ECM 
("ECM" standing for "Entitlement Control Message") in 
which are transmitted, in a form encrypted with the aid 
of a key K, the control words CW which have served to 
scramble the data transmitted in the video and audio da- 
ta packets. 

[0039] This data stream F is transmitted to the chip 
card 11 so as to be processed therein. It is received by 
a demultiplexer module (DEMUX) 12, which module 
transmits, on the one hand to an access control module 
(CA) 1 3 the ECMs and on the other hand to a multiplex- 
ing module (MUX) 15, the scrambled video and audio 
data packets, denoted DE. The CA module contains the 
key K and can thus decrypt the control words CW which 
are contained in the ECMs. The CA module transmits 
these control words CW to a converter module 1 4 which 
contains, according to the invention, a symmetric key 
Kc. The generation of this key and its transmission be- 
tween the appliances will be seen subsequently. 
[0040] The converter module 14 uses the symmetric 
key Kc to encrypt the control words CW and transmit 
these control words, encrypted with the aid of the sym- 
metric key Kc, to the multiplexing module 15 in control 
messages denoted LECM. These messages LECM 
have the same function as the messages ECM received 
in the initial data stream F, namely to transmit the control 
words CW, but in the messages LECM, the control 
words CW are encrypted therein with the aid of the sym- 
metric key Kc instead of being encrypted with the aid of 
the key K of the service provider. 
[0041] Preferably, the key Kc is frequently renewed, 
for example on initiating each data transmission, with 
the aim of preventing the source device from comprising 
a long-term secret, which would require enhanced pro- 
tection. 

[0042] The multiplexing module 1 5 then transmits the 
data packets DE and the converted control messages 
LECM in a data stream F which is received by the de- 
coder 10. It is this data stream P which will then flow 
around the domestic bus B so as to be received, either 
by one of the receiver devices 2 or 3, or by the digital 
video recorder 4 so as to be recorded. 
[0043] In addition to the transmission of the control 



words encrypted with the aid of the symmetric key Kc, 
the source device transmits the key Kc itself to the re- 
ceiver device, but encrypted with the aid of a key Kn by 
an algorithm E2, that is to say it transmits E2{Kn}(Kc). 

5 [0044] In the remainder of the description, the nota- 
tion "E{K}(D) U will always be used to signify encryption 
of data D by an algorithm E with a key K. 
[0045] The key Kn, which we shall refer to hereinafter 
as the network key, does not reside in the source appli- 

10 ance, but in the receiver appliance. Following the crea- 
tion of the key Kc, the latter is transmitted in a secure 
manner to the receiver appliance, which encrypts it with 
the aid of Kn and retransmits the result to the source 
appliance, for subsequent use. 

15 [0046] According to the invention, the data therefore 
always flow in encrypted form in the bus B, and only the 
appliances having access to the symmetric key Kc are 
capable of decrypting the control words CW and there- 
fore of decrypting the said data DE. These appliances 

20 are those possessing the network key Kn. This therefore 
prevents the broadcasting to other local networks of any 
copy made in the domestic network of Figure 1 . 
[0047] In the example of Figure 1 , the modules 12 to 
15 are integrated into the chip card 11 but, in a variant 

25 embodiment, it is possible to place the modules DEMUX 
and MUX in the decoder 10, only the modules 13 and 
14 remaining integrated into the chip card. Specifically, 
since the module CA 13 and the converter module 14 
contain decryption and encryption keys, they must be 

30 integrated into a secure medium such as a chip card. 
[0048] The receiver device 2 comprises a digital tele- 
vision receiver (DTV1 ) 20 fitted with a chip card reader 
furnished with a chip card 21 . The receiver 20 receives 
the data stream P originating either from the decoder 

35 10, or from the digital video recorder 4, through the bus 
B. The data stream P is transmitted to the chip card 21 . 
It is received by a demultiplexer module (DEMUX) 22, 
which transmits, on the one hand, the scrambled video 
and audio data packets DE to a descrambling module 

40 (DES.) 24, and, on the other hand, the converted control 
messages LECM to a terminal module 23, as well as the 
encrypted key E2{Kn}(Kc). 

[0049] The terminal module 23 firstly decrypts E2{Kn} 
(Kc) with the aid of the network key Kn which it possess- 

45 es, so as to obtain the symmetric key Kc. Then, since 
the control messages LECM contain the control words 
CW which have been encrypted with the aid of the key 
Kc, the terminal module can decrypt these control words 
with the aid of the key Kc which it has just calculated, 

so so as to obtain the control words CW as plaintext. The 
control words CW are then transmitted to the descram- 
bling module 24 which uses them to descramble the da- 
ta packets DE and to output plaintext data packets DC 
to the television receiver 20. 

55 [0050] Advantageously, E2{Kn}(Kc) is included in 
each of the LECM messages. In this case, the key Kc 
does not have to be stored by the receiver device for a 
long period. Moreover, it can be recovered quickly - as 
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quickly as the control words CW - so as to allow fast 
descrarnbling of the useful data. This is especially im- 
portant for helping lock-on when a user hops from sta- 
tion to station ("zapping") or when a new receiver appli- 
ance is plugged into the network while a video stream 
is being transmitted ("hotplugging"). 
[0051] In order to secure the final transmission of the 
plaintext data DC between the chip card 21 and the dis- 
play circuits of the television receiver 20, the interface I 
between the said chip card and the card reader of the 
receiver 20 is, for example, made secure according to 
the NRSS American standard (NRSS being the acro- 
nym for National Renewable Security Standard) for se- 
curing chip cards. 

[0052] The second receiver device 3, comprising a 
digital television receiver (DTV2) 30 fitted with a chip 
card reader furnished with a chip card 31 operates in 
exactly the same manner as the receiver device 2 and 
will not be described in greater detail. 
[0053] By virtue of the local digital network which has 
just been described, the data stream F originating from 
a content provider is transformed by the source device 
which receives it into a data stream P in which the data 
(or more precisely the control words CW) are encrypted 
with a symmetric key Kc. The key Kc is transmitted to- 
gether with the data encrypted with its aid, while itself 
being encrypted with the aid of another symmetric key, 
the network key Kn. This data stream P thus contains 
data having a format specific to the local network, which 
data can be decrypted only by the receiver devices of 
the local network which all contain the network key Kn. 
[0054] Moreover, since the key Kc is broadcast to- 
gether with the data (in encrypted form), it can be re- 
corded, for example by the digital video recorder 
(DVCR) 4, at the same time as the data, thereby allow- 
ing subsequent access to the encrypted data. 
[0055] Additionally, since the network key Kn is not 
stored in the source devices, the latter therefore do not 
contain any "long term" secret, requiring increased se- 
curity precautions. 

II] Distribution of the symmetric network key (Kn) 

[0056] All the receiver devices of the network must 
possess the symmetric network key (or secret key) Kn. 
This key is transmitted to a new receiver device by a 
particular receiver device of the network, the progenitor. 
[0057] Each receiver device can be in one of the fol- 
lowing states: Virgin, Progenitor, Sterile. 
[0058] A Virgin receiver device is defined by the fact 
that it does not comprise the symmetric network key Kn. 
This is typically a device which is not yet linked to the 
network. This is the default state of a receiver device. 
[0059] A Sterile device is defined by the fact that it 
possesses the symmetric network key Kn, but that it 
cannot transmit it to another device. 
[0060] A Progenitor device is defined by the fact that 
it possesses the symmetric network key Kn, and that it 



10 

can transmit it to other devices of the network. There 
can exist only one progenitor device in the network. 
[0061 ] The state of a device is stored by a state indi- 
cator IE which is a 2-bit register located in the terminal 

5 module 23 of the receiver device. By convention, it is 
assumed that when the device is in the virgin state, the 
state indicator IE is equal to 00; when the device is in 
the progenitor state, IE = 01 and when the device is in 
the sterile state, IE = 10. 

w [0062] The state indicator IE is preferably contained 
in an integrated circuit in a chip card so as to guarantee 
its tamperproofing. 

[0063] During installation of a receiver device, several 
cases need to be distinguished, as a function, as the 
is case may be, of the state of the receiver devices already 
existing in the network. 

[0064] The flowchart of Figure 2 illustrates the various 
checks and actions undertaken by the receiver device 
in the course of installation. 

20 [0065] After a first installation step 2.0, the new re- 
ceiver device checks initially whether there is a Progen- 
itor in the network (step 2.1). If the answer is in the af- 
firmative, a step of authentication of the new receiver 
and of the Progenitor is carried out (step 2.2) : on the 

25 initiative of the new receiver. This authentication is 
based, for example, on the use of pairs of asymmetric 
keys of the two devices and implements an authentica- 
tion algorithm known per se to the person skilled in the 
art. Once this authentication has been carried out, the 

30 Progenitor transmits the key Kn to the new receiver 
(step 2.3) in a secure manner. The latter then takes the 
Sterile state and modifies its register IE accordingly, 
thereby terminating installation (step 2.9). 
[0066] According to a variant embodiment, when a 

35 new receiver device is installed and detects the pres- 
ence of a Progenitor in the network, the new device 
takes the Progenitor state and forces the previous Pro- 
genitor into the Sterile state. 

[0067] When no Progenitor exists in the network, the 
40 new receiver checks whether at least one Sterile receiv- 
er exists in the network (step 2.4), although no Progen- 
itor exists. If such is the case : then installation is impos- 
sible and the procedure stops (steps 2.5 and 2.9). An 
error message is transmitted to the user, for example on 
45 a display panel of the new receiver. However, even in 
this case, the existing Sterile devices can receive and 
decrypt encrypted data from a source device of the net- 
work. 

[0068] Returning to the flowchart of Figure 2, in the 
50 case where the network comprises neither Progenitor 
nor Sterile device, the new receiver creates a key Kn 
(step 2.6). This key is typically a 1 28-bit key, so as to be 
consistent with the symmetric encryption algorithms 
currently used (for example the "AES" algorithm, the in- 
55 itials standing for "Advanced Encryption Standard" and 
also referred to as "RijndaeP, described by J. Daemen 
and V. Rijmen in "Proceedings from the First Advanced 
Encryption Standard Candidate Conference, National 
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institute of Standards and Technology (NtST), August 
1998" or else the algorithm "TwoFish" described in the 
article "TwoFish - a Block Encryption Algorithm" by B. 
Schneier, J. Kelsey, D. Whiting, D. Wagner N. Ferguson 
and published in the same NIST conference report). 
[0069] The key Kn can be chosen randomly. Once this 
key has been created, the new receiver proclaims itself 
as Progenitor and modifies the content of its register IE 
accordingly (step 2.7). The network of receiver applianc- 
es is then created (step 2.8) and the process concludes 
(step 2.9). 

[0070] Figure 3 is a chart illustrating the exchanges 
between a new receiver device and a pre-existing Pro- 
genitor during installation of the new receiver. So, this 
chart corresponds to step 2.3 of Figure 2. 
[0071] When the new receiver device is installed in 
the network, the receiver device contains a pair of cer- 
tified keys, public PUBr and private PRIVr, and is, ac- 
cording to the invention, in the Virgin state (state indica- 
tor IE=00). The receiver device initially transmits (step 
3.1) its public key PUBr to the Progenitor device. The 
latter encrypts the key Kn with the aid of the public key 
PUBr (step 3.2), and transmits the result of the encryp- 
tion to the receiver device (step 3.3). The latter decrypts 
these data with the aid of its private key PRIVr (step 3.4) 
and thus recovers the key Kn. The receiver device then 
becomes the new Progenitor of the network (its register 
IE goes to the 01 state) and the former Progenitor device 
now becomes Sterile (register IE = 10) in step 3.5. 
[0072] To guarantee the integrity and the origin of the 
key Kn, the Progenitor generates a message authenti- 
cation code ("MAC") on the basis of this key and by way 
of a known algorithm. This code is sent together with the 
encrypted data E{PUBr}(Kn) in step 3.3. It is checked 
by the receiver in step 3.4. The algorithm "HMAC-SHA- 
1" (standing for "Keyed-Hash Message Authentication 
Code") is an example of an algorithm which can be used 
within this framework. 

Ill] Exchange of the short-term symmetric key and 
encryption of the data 

[0073] Let us assume that the new receiver device 
which has just been installed and rendered possessor 
of the symmetric network key Kn according to the proc- 
ess described above is the receiver device 2 of Figure 
1 . This device is therefore kept ready to receive data 
from the source device 1 . 

[0074] Figure 4 illustrates the messages exchanged 
in this regard. 

[0075] Initially (step 4.0), the source device 1 issues 
a request over the network, asking for transmission of 
the public key PUBx to any receiver device. All the re- 
ceiver devices present on the network at that moment 
respond by sending back their public key. We will as- 
sume in what follows that the first key received by the 
source device 1 is the public key PUB2 sent in the 
course of step 4.1 by the receiver device 2. The source 



device takes into account the first message received 
and will then correspond with the corresponding receiv- 
er device. 

[0076] The source device creates and then stores the 

s "short-term" symmetric key Kc (step 4.2), which key will 
serve to encrypt the control words CW. This symmetric 
key is, according to the present exemplary embodiment, 
chosen randomly and preferably possesses a length of 
1 28 bits. The key Kc is encrypted with the aid of the pub- 

10 lie key PUB2 by way of an asymmetric encryption algo- 
rithm E1, for example the "RSA OAEP" algorithm 
(standing for "Rivest, Shamir, Adleman Optimal Asym- 
metric Encryption Padding" - described in PKCS#1: 
RSA Cryptography Specifications, version 2.0 (October 

15 1998)), then transmitted in encrypted form E1{PUB2} 
(Kc) to the receiver device (step 4.4). The latter decrypts 
the key Kc with the aid of its private key PRIV2, encrypts 
it again according to a symmetric encryption algorithm 
E2 with the aid of the symmetric network key Kn (step 

20 4.5) and sends Kc thus encrypted (i.e. E2{Kn}(Kc)) back 
to the source device (step 4.6), which stores this infor- 
mation item (step 4.7). 

[0077] It will be noted that the source device does not 
know the secret key Kn. 

25 [0078] According to the present exemplary embodi- 
ment, the key Kc is created during the initialization of a 
connection between the source device and the receiver 
device. Kc can be created well before the implementa- 
tion of the connection. Kc can also be modified one or 

30 more times during connection. In this case, steps 4.0 to 
4.7, which are essentially aimed at obtaining from a re- 
ceiver device of the network the encryption of the key 
Kc by the network key Kn, need to be repeated. 
[0079] Steps 4.8 to 4.1 1 relate to the transmission of 

35 useful data. 

[0080] The data received by the source device 1 com- 
prise messages ECM. The source device decrypts the 
latter so as to extract therefrom the control words CW, 
then it encrypts the control words CW with the aid of the 

40 symmetric key Kc by way of a symmetric encryption al- 
gorithm E3 (step 4.8). The source device then reinserts 
these encrypted control words (i.e. E3{Kc}(CW)) into the 
data stream and transmits the whole over the bus B 
heading for the receiver device or devices (step 4.9). 

45 Also during step 4.9, the source device sends the key 
Kc encrypted with the aid of Kn which it had previously 
stored in step 4.7. 

[0081] It will also be noted that the useful data trans- 
mitted in step 4.9 are encrypted according to a symmet- 
50 ric encryption algorithm E4 with the aid of the control 
words CW. 

[0082] The receiver devices can decrypt E2{Kn)(Kc) 
with the aid of Kn (step 4.10) and, possessing Kc t can 
access the control words CW and thus descramble the 
55 usef u I data (step 4.11). 

[0083] The algorithms E2, E3 and E4 can be identical 
or different. It will, for example, be possible to use the 
AES algorithm or the TwoFish algorithm which have al- 
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ready been cited. 

[0084] Transmitting Kc encrypted with the aid of the 
symmetric network key Kn implies that only the receiver 
devices of the network can access Kc. Moreover, sev- 
eral receiver devices can simultaneously decode the da- 5 
ta sent. 

[0085] During the creation of a key Kc, it is necessary 
for at least one receiver device installed in the manner 
described to reside in the network in order to transmit 
the key Kc encrypted with the network key Kn to the 10 
source device which has generated this key Kc. How- 
ever, the data transmitted by the source device and en- 
crypted at least partially with the aid of this key may very 
well be intended for another appliance of the network, 2. 
such as a recorder appliance, which would not neces- 15 
sarily possess the function of decryption of the data 
which it records. 

[0086] According to a variant of the exemplary em- 
bodiment, the source device stores several keys Kc en- 
crypted with the aid of the network key Kn, with the cor- 20 
responding keys Kc, in anticipation of forthcoming data 
transmissions. 

[0087] Although, according to the present example, it 
is essentially the control words CW which are decrypted 
by the source device and encrypted again with the aid 25 
of the symmetric key Kc, the invention is plainly not lim- 
ited to this example. In particular, other data may be de- 
crypted, then encrypted again with the aid of this key. 
Moreover, certain data may be encrypted with the aid of 
the symmetric key without, however, having been de- 30 
crypted previously by the source device. In this latter 
case, it is necessary to think about making the key K 
(required in order to decrypt the first encryption carried 
out) available in a secure manner to the receiver devic- 3. 
es. 35 
[0088] Finally, the data to be encrypted by the source 
device may reach it in unencrypted form. 
[0089] Additionally, the invention is not limited to the 
transmission of audio/video data. Data of any type may 
be transmitted in the manner set forth. 40 

4. 

Claims 

1. Process of symmetric key management in a com- 45 
munication network comprising: 

5. 

a device of a first type (1) furnished with a 
source of data to be broadcast over the network 
and so 
at least one device of a second type (2) intend- 
ed to receive said data, the process being char- 
acterized in that it comprises the steps of: 

(a) by the device of the first type (1 ), deter- ss 
mination (4.2) of a first symmetric key (Kc) 
and transmission (4.4) of the first key (Kc) 
in a secure manner (E1{PUB2}(Kc)) to at 



least one device of the second type (2); 

(b) by at least one device of the second 
type (2), reception of the first symmetric 
key (Kc), encryption (E2) of said first sym- 
metric key with the aid of a second sym- 
metric key (Kn) , known to the devices of the 
second type (2) of the network and trans- 
mission (4.6) of the result of this encryption 
to the device of the first type; 

(c) by the device of the first type (1 ), recov- 
ery and storage (4.7) of the encryption (E2 
{Kn}(Kc)) of the first symmetric key (Kc). 

Process according to Claim 1, characterized in 
that it furthermore comprises the steps of: 

(d) by the device of the first type (1 ), encryption 
(E3), with the aid of the first symmetric key<Kc), 
of data (CW) to be transmitted to at least one 
device of the second type (2); 

(e) by the device of the first type (1 ), transmis- 
sion (4.9) of the encrypted data (E3{Kc}(CW)) 
and of the first encrypted symmetric key (E2 
{Kn}(Kc)) to at least one device of the second 
type (2); 

(f) by at least one device of the second type (2), 
decryption (4.1 0) of the first symmetric key (Kc) 
encrypted by at least one device of the second 
type with the aid of the second symmetric key 
(Kn) and decryption (4.11 ) of the encrypted da- 
ta with the aid of the first symmetric key (Kc) 
thus recovered. 

Process according to one of Claims 1 and 2, char- 
acterized in that the device of the first type (1) 
stores in parallel a plurality of first non-encrypted 
symmetric keys (Kc) and of first encrypted symmet- 
ric keys (E2{Kn}(Kc)) corresponding to the non-en- 
crypted keys. 

Process according to one of Claims 1 to 3, charac- 
terized in that the first symmetric key is renewed 
at least during the transmission of a new series of 
data, or several times during the transmission of a 
series of data. 

Process according to one of Claims 1 to 4, charac- 
terized in that it furthermore comprises a phase of 
installation of a new device of the second type in 
the network, the phase of installation comprising the 
step of verification (2.1 ) of the presence of a device 
of the second type pre-existing in the network, pos- 
sessing the second symmetric key (Kn) and having 
the capacity to transmit it securely and, 

in the affirmative, the step of transmission (2.3) 
of the second symmetric key (Kn) to the new 
device of the second type, and 
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in the negative, the step of generation (2.6) of 
the second symmetric key (Kn) by the new de- 
vice of the second type. 

6. Communication device (1) suitable for being con- s 
nected to a communication network, said device 
comprising 

means (14) of encryption of decrypted data 
(CW); « 

characterized in that the encryption means 
(14) deploy an encryption algorithm (E3) imple- 
menting a first symmetric key (Kc) and in that the 
device furthermore comprises: 1 ' 

a memory comprising the first symmetric key 
encrypted (E2{Kn}(Kc)) with the aid of a second 
key (Kn) known to at least one receiver device 
(2) linked to the network; and & 
means (10, 15) of transmission over the net- 
work of the data encrypted with the aid of the 
encryption means (14). 



12. Device according to one of Claims 10 or 11 , char- 
acterized in that the memory furthermore compris- 
es a pair of asymmetric keys (PRIV2, PUB2) for the 
secure transmission, to said processing device (2), 
of the first symmetric key (Kc) and in that said de- 
vice furthermore comprises means of encryption 
(23) of the first symmetric key (Kc) with the aid of 
the second symmetric key (Kn) for return to the ap- 
pliance (1) of the network having transmitted the 
first symmetric key (Kc). 



7. Device according to Claim 6, furthermore compris- 25 
ing means (13) of decryption of data originating 
from a source of encrypted data. 



8. Device according to Claim 7, characterized in that 

the means of encryption (1 4) are provided so as to so 
renew the first symmetric key (Kc) frequently. 



9. Device according to one of Claims 6 to 8, charac- 
terized in that the second key (Kn) is symmetric. 

35 

10. Device for processing data (2) in a communication 
network, characterized in that it comprises: 

means (23) of decryption of a first symmetric 
key (Kc) received in an encrypted manner (E2 40 
{Kn}(Kc)) from an appliance of the network, the 
encryption of the first symmetric key having 
been carried out with the aid of a second sym- 
metric key (Kn); 

a memory for containing the second symmetric 43 
key (Kn) common to alt the appliances of a giv- 
en type of the network; and 
means (23) of decryption of encrypted data re- 
ceived from the network (LECM) with the aid of 
the first symmetric key (Kc). 50 



11. Device according to Claim 10, characterized in 
that the said device comprises means of descram- 
bling (24) data received from the network, said de- 
scrambling means using the result (CW) of the data 55 
decryption (LECM) carried out with the aid of the 
first symmetric key (Kc). 
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